Navigate

CCI-001059

CCI-001059 Definition

The organization remediates legitimate vulnerabilities in organization-defined response times in accordance with an organizational assessment risk.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed takes corrective actions as appropriate on legitimate vulnerabilities identified in RA-5, CCI 001058 IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). Audit records of actions must be maintained IAW applicable DoD, CYBERCOM, and/or component policies. DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines audit records to validate the organization is taking action to remediate legitimate vulnerabilities within the required response times (IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs). The organization conducting the inspection/assessment may conduct independent vulnerability scans to compare those scan results with audit records of remediation actions. DoD has defined the response times as IAW an authoritative source (e.g. IAVM, CTOs, DTMs, STIGs).

Compelling Evidence

1.) Standard operating procedure (SOP). 2.) Reference to standard operating procedure (SOP) section pertaining to the procedure in place to take actions to remediate vulnerabilities discovered during a vulnerability scan.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001059.

Control	Description
RA-5	The organization: RA-5a.: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5b.: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.1.: Enumerating platforms, software flaws, and improper configurations; RA-5b.2.: Formatting checklists and test procedures; and RA-5b.3.: Measuring vulnerability impact; RA-5c.: Analyzes vulnerability scan reports and results from security control assessments; RA-5d.: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and RA-5e.: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Control

Description

RA-5

The organization:

RA-5a.: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

RA-5b.: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
- RA-5b.1.: Enumerating platforms, software flaws, and improper configurations;
- RA-5b.2.: Formatting checklists and test procedures; and
- RA-5b.3.: Measuring vulnerability impact;

RA-5c.: Analyzes vulnerability scan reports and results from security control assessments;

RA-5d.: Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and

RA-5e.: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).